Sponsored by the National Science Foundation Introduction to OpenFlow Niky Riga GENI Project Office

Sponsored by the National Science Foundation 2 “The current Internet is at an impasse because new architecture cannot be deployed or even adequately evaluated” [PST04] Modified slide from: [PST04]: Overcoming the Internet Impasse through Virtualization, Larry Peterson, Scott Shenker, Jonothan Turner Hotnets 2004

Sponsored by the National Science Foundation 3 OpenFlow… Enables innovation in networking Changes practice of networking Google’s SDN WAN

Sponsored by the National Science Foundation 4 OpenFlow basics How OpenFlow works … (1.0) What’s new in OpenFlow 1.3 Network Function Virtualization OpenFlow basics

Sponsored by the National Science Foundation 5 OpenFlow’s basic idea

Sponsored by the National Science Foundation 6 OpenFlow’s basic idea

Sponsored by the National Science Foundation 7 OpenFlow is an API Modified slide from : Control how packets are forwarded Implementable on COTS hardware Make deployed networks programmable –not just configurable Makes innovation easier

Sponsored by the National Science Foundation 8 OpenFlow benefits [1] External control –Enables network Apps –General-purpose computers (Moore’s Law) –Deeper integration –Network hardware becomes a commodity Centralized control –One place for apps to interact (authentication, auth, etc) –Simplifies algorithms –Global Optimization and planning [1]: OpenFlow: A radical New idea in Networking, Thomas A. Limoncelli CACM 08/12 (Vol 55 No. 8)

Sponsored by the National Science Foundation 9 Deployment Stories Google global private WAN [1] Connects dozens of datacenters worldwide with a long-term average of 70% utilization over all links Stanford Campus deployment Part of Stanford campus migrated to OpenFlow Microsoft Azure DataCenter [2] Internet 2 - AL2S Can build Layer 2 circuits between any Internet 2 end-points NTT’s BGP Free Edge [1] B4: Experience with a Globally-Deployed Software Defined WAN, SIGCOMM’13, Jain et al [2] Keynote ONS June 2015Keynote ONS June

Sponsored by the National Science Foundation 10 GENI and OpenFlow deployment Key GENI concept: slices & deep programmability –Internet: open innovation in application programs –GENI: open innovation deep into the network Good old Internet Slice 0 Slice 1 Slice 2 Slice 3 Slice 4 Slice 1 OpenFlow switches one of the ways GENI is providing deep programmability

Sponsored by the National Science Foundation 11 OpenFlow Switches GENI Rack GENI-enabled regionals e.g. CENIC Internet2 AL2S

Sponsored by the National Science Foundation 12 GENI OpenFlow Experiments Prasad Calyam, Missouri Dipankar (Ray) Raychaudhuri, Rutgers, leads MobilityFirst VDC: real-time load-balancing functionality deep into the network to improve QoE MobilityFirst: A new architecture for the Internet designed for emerging mobile/wireless service requirements at scale Mike Zink Umass Amherst NowCast SDX: Improve in-time weather forecasting using Software Defined eXchanges

Sponsored by the National Science Foundation 13 OpenFlow basics What’s new in OpenFlow 1.3 Network Function Virtualization How OpenFlow works … (1.0)

Sponsored by the National Science Foundation 14 OpenFlow versions (Dec ’09) OpenFlow Simple & widely supported (Feb ‘11) OpenFlow Not implemented by HW vendors (Dec ‘11) OpenFlow 1.2 First ONF standard (‘12/’13) OpenFlow 1.3.x Complex & support in progress (Oct ‘13) OpenFlow 1.4 (‘11) Open Networking Foundation (ONF) formed to shepherd standards (Nov‘13) OpenFlow (Dec’ 14) OpenFlow 1.5

Sponsored by the National Science Foundation 15 OpenFlow controllers Open source controller frameworks –NoX – C++ –PoX - Python –OpenDaylight - Java –FloodLight - Java –Trema – C / Ruby –Maestro - Java –Ryu - Python Production controllers –Mostly customized solutions based on Open Source frameworks –ProgrammableFlow - NEC

Sponsored by the National Science Foundation 16 OpenFlow Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Modified slide from : The controller is responsible for populating forwarding table of the switch In a table miss the switch asks the controller

Sponsored by the National Science Foundation 17 OpenFlow in action Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP) Modified slide from : Host1 sends a packet If there are no rules about handling this packet –Forward packet to the controller –Controller installs a flow Subsequent packets do not go through the controller host1 host2

Sponsored by the National Science Foundation 18 OpenFlow Basics (1.0) Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP ToS TCP sport TCP dport RuleActionStats 1.Forward packet to port(s) 2.Encapsulate and forward to controller 3.Drop packet 4.Send to normal processing pipeline 5.Modify Fields + mask what fields to match Packet + byte counters slide from : IP Prot VLAN PCP

Sponsored by the National Science Foundation 19 Use Flow Mods Going through the controller on every packet is inefficient Installing Flows either proactively or reactively is the right thing to do A Flow Mod consists of : –A match on any of the 12 supported fields –A rule about what to do matched packets –Timeouts about the rules: Hard timeouts Idle timeouts –The packet id in reactive controllers –Priority of the rule

Sponsored by the National Science Foundation 20 OpenFlow common PitFalls Controller is responsible for all traffic, not just your application! –ARPs, DHCP, LLDP Reactive controllers –Cause additional latency on some packets –UDP – many packets queued to your controller by time flow is set up Performance in hardware switches –Not all actions are supported in hardware No STP to prevent broadcast storms

Sponsored by the National Science Foundation 21 OpenFlow datapaths Switch Data Path (Hardware) Control Path OpenFlow Any Host OpenFlow Controller OpenFlow Protocol Different OpenFlow modes –switches in pure OF mode are acting as one datapath –Hybrid VLAN switches are one datapath per VLAN –Hybrid port switches are two datapaths (one OF and one non- OF) OpenFlow enabled devices are usually referred to as datapaths with a unique dpid Each Datapath can point to only one controller at a time! It is not necessary that 1 physical device corresponds to 1 dpid

Sponsored by the National Science Foundation 22 Multiplexing Controllers Only one controller per datapath FlowVisor, FSFW are proxy controllers that can support multiple controllers FlowSpace describes packet flows : –Layer 1: Incoming port on switch –Layer 2: Ethernet src/dst addr, type, vlanid, vlanpcp –Layer 3: IP src/dst addr, protocol, ToS –Layer 4: TCP/UDP src/dst port Switch Data Path (Hardware) Control Path OpenFlow Any Host FLowSpace Firewall OpenFlow Protocol (SSL/TCP) Any Host OpenFlow Controller Any Host OpenFlow Controller OpenFlow Protocol (SSL/TCP)

Sponsored by the National Science Foundation 23 Sharing of OpenFlow resources In GENI: –Slice by VLAN for exclusive VLANs –Slice by IP subnet and/or eth_type for shared VLANs In FIRE: On iMinds testbed –Slice by inport On OFELIA testbed –Slice by VLAN

Sponsored by the National Science Foundation 24 OpenFlow Experiments Debugging OpenFlow experiments is hard: –Network configuration debugging requires coordination –Many networking elements in play –No console access to the switch Before deploying your OpenFlow experiment test your controller.

Sponsored by the National Science Foundation 25 OpenFlow basics How OpenFlow works … (1.0) Network Function Virtualization What’s new in OpenFlow 1.3

Sponsored by the National Science Foundation 26 Why OpenFlow 1.3? OF 1.0 primary complaint = too rigid OF 1.3 gains* Greater match and action support Instructions add flexibility and capability Groups facilitate advanced actions Meters provide advanced counters Per-table features Custom table-miss behavior …and more! * OpenFlow 1.1 and 1.2 introduced some of the features we will discuss. However, due to the relative lack in adoption of OpenFlow 1.1 and 1.2, we will consider such features as OpenFlow 1.3 features. slide provided by Ryan Izard

Sponsored by the National Science Foundation 27 OpenFlow eXtensible Match - OXM OpenFlow 1.0OpenFlow 1.1OpenFlow sdn/openflow/message- layer/ Variable-length list of matches, in any order in contrast to rigid match structure of OF 1.0/1.1 slide provided by Ryan Izard

Sponsored by the National Science Foundation 28 OpenFlow 1.3 Matches Increased match support w/OXM –Ingress port –Ethernet –VLAN –IPv4 –TCP –UDP –ARP –MPLS –PBB –ICMPv4 –ICMPv6 –IPv6 –Tunnel –SCTP –Metadata –Custom/Expe rimenter slide provided by Ryan Izard

Sponsored by the National Science Foundation 29 OpenFlow 1.3 Actions Set field –Any OXM Push/Pop –VLAN –MPLS –PBB Set queue Goto group Output TTL –Set –Decrement Custom/Experimente r slide provided by Ryan Izard

Sponsored by the National Science Foundation 30 OpenFlow 1.3 Instructions Apply actions –List of actions to perform immediately Write actions –List of actions to perform later Clear actions –Clear list of accumulated “write actions” Meter –Send to an installed meter Goto table –Send to another table in the switch Write metadata –Store some “data” associated with the packet as it traverses table(s) slide provided by Ryan Izard

Sponsored by the National Science Foundation 31 OpenFlow 1.3 Meters Monitor and rate-limit packets Multiple meter “bands” define different rate thresholds if (rate > t1) do_this; else if (rate > t2) do_that; else if (rate > t3) drop_it; else do_nothing;

Sponsored by the National Science Foundation 32 OpenFlow 1.3 Groups Allow more complex actions Bucket = (list of actions) + (optional params) Actions can be unique per bucket ALL, SELECT, INDIRECT, FAST FAILOVER

Sponsored by the National Science Foundation 33 Community Support Great software switch support –OVS supports everything* except meters Present protocol support for meters Table features supported in (master) Groups fully supported in –ofsoftswitch supports meters but does not support all other OpenFlow 1.3 features Hit-and-miss support with HW vendors –Some vendors… H#, Br###de technically do, but buggy (or is it a feature?) Wide controller support *to my knowledge

Sponsored by the National Science Foundation 34 OpenFlow 1.3 Controller Roles OpenFlow 1.3 integrates roles in protocol –Role = controller read/write permissions for each switch –MASTER + SLAVE Exactly one master controller per switch Zero or more slaves per switch Only the master controller can write All (other) slave controllers can read –EQUAL All controllers can read and write Likely requires synchronization between controllers (e.g. HA) But, doesn’t Nicira has role extension for OF 1.0? –Same idea for MASTER and SLAVE –Nicira’s OTHER role = OpenFlow 1.3’s EQUAL role slide provided by Ryan Izard

Sponsored by the National Science Foundation 35 Table Miss Behavior What to do if a packet matches no flows? Previously, a property of the flow table –Typically, send to the controller In OpenFlow 1.3, defined by a flow –Zero-priority and fully-wildcarded match –User-defined actions and instructions –Can send to controller (most common) –Or, can do what YOU want slide provided by Ryan Izard

Sponsored by the National Science Foundation 36 Table Features Problem: Many OpenFlow features are optional, not required Solution: Table Features specify capabilities of each table –Matches, actions, instructions, etc. Do table features indicate match co-dependencies or hardware vs. software support? slide provided by Ryan Izard

Sponsored by the National Science Foundation 37 OpenFlow basics How OpenFlow works … (1.0) What’s new in OpenFlow 1.3 Network Function Virtualization

Sponsored by the National Science Foundation 38 Network Devices NAT firewall DHCP DNS switch VPN router gateway proxy access point Any network device can be OpenFlow enabled software

Sponsored by the National Science Foundation 39 SDN and NFV Slide from:

Sponsored by the National Science Foundation 40 QUESTIONS?

Sponsored by the National Science Foundation 41 Multi-Version OF Handshake Handshake –Message-exchanging process to establish an OpenFlow channel between a controller and a switch –Need to negotiate common OpenFlow version Algorithm –Switch says “Hello version_X” with OF version X –Controller says “Hello version_Y” with OF version Y –Switch and controller each pick lower version of X and Y (theirs < mine) ? theirs : mine; e.g. (X < Y) ? X : Y; Caveat… –Algorithm requires support for each OF version up to and including the “Hello” version advertised –Not the case in implementation/practice Fix for (controller >= OF1.3) && (switch >= OF1.3) –Hello advertises highest version + version bitmap for negotiation slide provided by Ryan Izard

Sponsored by the National Science Foundation 42 OpenFlow Auxiliary Connections Multiple control connections per switch –Parallelize some operations –Negotiated on a per-switch basis –Aux ID 0 = main; Aux ID > 0 = other Controller chooses which connection to use –Main –Aux 1 –Aux 2 –…etc. ID=0 (main) ID=1 ID=2 DPID=11:22:33:44:55:66:77:88 slide provided by Ryan Izard

Sponsored by the National Science Foundation 43 OpenFlow Multipart Messages Steady-state controller- to-switch “queries” Efficiently process large requests Flow stats, port stats, group stats, meter stats, table features… Request and reply pairs with same XID OFPMPF_REQ_MORE flag for more messages slide provided by Ryan Izard